1-11 PKI ConfigurationPKI OverviewThe Public Key Infrastructure (PKI) is a hierarchical framework designed for providing informationsecurity through public key technologies and digital certificates and verifying the identities of the digitalcertificate owners.PKI employs digital certificates, which are bindings of certificate owner identity information and publickeys. It allows users to obtain certificates, use certificates, and revoke certificates. By leveraging digitalcertificates and relevant services like certificate distribution and blacklist publication, PKI supportsauthenticating the entities involved in communication, and thus guaranteeing the confidentiality,integrity and non-repudiation of data.PKI TermsDigital certificateA digital certificate is a file signed by a certificate authority (CA) that contains a public key and therelated user identity information. A simplest digital certificate contains a public key, an entity name, anda digital signature from the CA. Generally, a digital certificate also includes the validity period of the key,the name of the CA and the sequence number of the certificate. A digital certificate must comply with theinternational standard of ITU-T_X.509. This manual involves two types of certificates: local certificateand CA certificate. A local certificate is a digital certificate signed by a CA for an entity, while a CAcertificate, also known as a root certificate, is signed by the CA for itself.CRLAn existing certificate may need to be revoked when, for example, the user name changes, the privatekey leaks, or the user stops the business. Revoking a certificate is to remove the binding of the publickey with the user identity information. In PKI, the revocation is made through certificate revocation lists(CRLs). Whenever a certificate is revoked, the CA publishes one or more CRLs to show all certificatesthat have been revoked. The CRLs contain the serial numbers of all revoked certificates and provide aneffective way for checking the validity of certificates.A CA may publish multiple CRLs when the number of revoked certificates is so large that publishingthem in a single CRL may degrade network performance.CA policyA CA policy is a set of criteria that a CA follows in processing certificate requests, issuing and revokingcertificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification practicestatement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk, ande-mail. As different CAs may use different methods to check the binding of a public key with an entity,make sure that you understand the CA policy before selecting a trusted CA for certificate request.